Display name impersonation using recipient SLD

calendar Oct 16, 2024  ยท
Share on: linkedin copy

The recipient domain's SLD is used in the sender's display name in order to impersonate the organization.

Sublime rule (View on GitHub)

 1name: "Display name impersonation using recipient SLD"
 2description: |
 3  The recipient domain's SLD is used in the sender's display name
 4  in order to impersonate the organization.   
 5type: "rule"
 6severity: "medium"
 7source: |
 8  type.inbound
 9  and (
10    // recipient SLD is being impersonated in the display name
11    (
12      // these are usually targeted with just 1 recipient,
13      // but sometimes they CC themselves or have a blank CC
14      length(recipients.to) + length(recipients.cc)
15   + length(recipients.bcc) <= 2
16      and any(recipients.to,
17              length(.email.domain.sld) >= 4
18              and 
19              // ensure that we're checking the org SLD
20              .email.domain.sld in $org_slds
21              and strings.icontains(sender.display_name, .email.domain.sld)
22      )
23    )
24    or (
25      // accounts for BCC'd messages where the recipients are empty
26      // if BCC, sometimes the recipient will be the attacker's email
27      length(recipients.to) + length(recipients.cc)
28   + length(recipients.bcc) <= 2
29      and length(mailbox.email.domain.sld) >= 4
30      and strings.icontains(sender.display_name, mailbox.email.domain.sld)
31    )
32  )
33  and (
34    // at least 1 link or non-image attachment
35    (
36      length(body.links) > 0
37      // these attacks all use compromosed senders, so we look for a domain
38      // that doesn't match the sender's domain to weed out legit messages
39      and any(body.links,
40              .href_url.domain.root_domain != sender.email.domain.root_domain
41      )
42    )
43    or length(filter(attachments, .file_type not in $file_types_images)) > 0
44  )
45  and not (
46    strings.contains(sender.display_name, "on behalf of")
47    and sender.email.domain.root_domain == "microsoftonline.com"
48  )
49  // negate pageproof updates
50  and not (
51      sender.email.email == 'team@pageproof.com'
52  )
53  and all(recipients.to,
54          .email.email != sender.email.email
55          and (
56            .email.domain.valid or strings.icontains(.display_name, "undisclosed")
57          )
58  )
59  
60  // negate org domain senders, which can often be misconfigured and fail
61  // authentication, causing them to be type.inbound instead of type.internal.
62  // this is fine because we should catch spoofs in other ways.
63  // also, we use root_domain here to account for subdomains used by internal tools that aren't connected to the tenant.
64  // this should also be safe because domains like onmicrosoft[.]com are tracked as FQDNs in $org_domains, so they won't match
65  and sender.email.domain.root_domain not in $org_domains
66  
67  // negate highly trusted sender domains unless they fail DMARC authentication
68  and (
69    (
70      sender.email.domain.root_domain in $high_trust_sender_root_domains
71      and not headers.auth_summary.dmarc.pass
72    )
73    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
74  )
75  and (
76    (not profile.by_sender().solicited)
77    or (
78      profile.by_sender().any_messages_malicious_or_spam
79      and not profile.by_sender().any_false_positives
80    )
81  )
82  and not profile.by_sender().any_false_positives  
83
84attack_types:
85  - "Credential Phishing"
86tactics_and_techniques:
87  - "Social engineering"
88detection_methods:
89  - "Header analysis"
90  - "Sender analysis"
91id: "81a8ed12-0e26-5998-90ae-03334f358704"
to-top